Tenable Exec: Our 'Battle Cry' Is Enabling Channel Opportunities In IoT Security, Helping Secure Both IT And OT

IoT Security Is A Customer Challenge But a Channel Opportunity

As more Internet of Things devices with potential vulnerabilities come online, Tenable wants to be at the forefront in helping customers ensure they are secure.

Tenable's Nessus platform serves as a monitor analyzing network traffic to provide visibility into managed and unmanaged assets on the network. The company recently set its eyes on industrial IoT, saying in June that it has incorporated it Nessus Network Monitor alongside new container and web application security products, to enable vulnerability management of operational technology assets.

CRN talked with Tenable Chief Revenue Officer John Negron about the company's channel drive around IoT security and how Tenable hopes to develop its strategy around the Internet of Things.

Talk about Tenable's flagship product, Nessus, and the security issues that this device addresses.

Our company spawned out of an open-source project called Nessus, which is a third-generation vulnerability scanning tool. Security practitioners could launch the scanner and scan systems, software and network devices on any network to give them a give a sense of what holes are in the network. That could include wide-open guest accounts on servers, operating system files that serve as big holes that people can take advantage of, and versions of software that are known to be vulnerable. The tool essentially gives you visibility for what could be unlocked by a hacker. Tenable was born from this.

What kind of adoption are you seeing from customers around IoT? What are the IoT implications for the security landscape?

You have organizations with data centers and traditional IT compute who are migrating their workloads up to the cloud. Then there's large industrial companies declaring they are now digital companies, like GE. You have governments all around the world becoming digital and setting up internet initiatives in their country to become more connected. We're seeing this wave of digitization in everything we do in life. It's a way to improve society and everyone's life.

But then you put your security hat on. There's a dark side to this whole thing – when you start thinking about, it the potential consequences are pretty bad. Hackers have been getting into traditional IT environments. Now that you're digitizing cloud, and bringing critical workloads up to the cloud, all you’ve done is increase the attackable surface space. IoT would just amplify the hackers' playground. That’s the dark side of the equation.

How does your platform helps customers who are adding IoT devices onto their network?

We want to help customers prioritize and manage their data, so we also built an assessment platform into our architecture. This includes a multifaceted assessment capability, which is one of the most robust in the marketplace today.

This is essential when you think about security and people defending themselves from the industrialized hacker, or nation-state hackers. We've seen with WannaCry that hacktivists and organized hackers are coming in hot and heavy. One of the things security professionals who are working for the government are trying to figure out is how to assess their tech and see if they are using software that’s vulnerable.

What's the channel opportunity around IoT?

We have been a channel company for a long time. We look to the partner ecosystems to help us in the U.S. market. We look at managed security service providers, systems integrators and other organizations who drive and have access to the buyers who need security for IoT and cloud.

When you think about this problem it’s a big C-suite problem, versus only the IT and OT security teams. The C-Suite really cares, they see how WannaCry took down the entire U.K. health-care system. Those partners who have C-Suite level, CIO, or CSO relationships we can leverage, come in with a story about what we have to offer. Not many software companies have turned the corner with their portfolio to include modern IT infrastructure. A lot of legacy organizations are still caught in traditional IT and now have to deal with cloud and with IoT. We're ready now, so our partners are also ready.

What kind of customers do you serve, in terms of size and vertical markets?

We serve a large constituent set of markets. That includes original open-source users, like academic students and engineers using our assessment technology. Our customer base goes from a student at MIT all the way up through small to midsize business to large government to enterprise companies. Then we have our business systems and strategy making sure we do a good job with the community.

On the industrial side, what security challenges are operational technology teams facing as they connect more industrial control systems to the internet?

The reality is that the technology of a lot of traditional vendors in cyber has been disrupted. Our customers are moving to this modern landscape and embracing the cloud and IoT. A lot of old technologies don’t work in the cloud. If you look at industrial control systems and SCADA systems, and other systems on the factory floor, they are all being IP-enabled. That’s a big problem and the horse has already left the barn. With this new modern compute environment, most security teams are asking what they should do now in terms of security.

For industrial IoT, companies are looking to bridge those two environments, and they're not there yet. They have different silos of operational technology and IT, and the tools are all different. For the hacker, it's all one big platform. Bad guys only have to get in through one exploitable hole, either on the IT or OT side. But we're heading down the road to solve this problem. With traditional IT compute environments, we can help them assess the security vulnerability and give them the ability to solve this vulnerability.

That’s our battle cry -- to be one of the innovators keeping up with the reality of modern compute.